---
title: Configuring Authentik Authentication Service for LobeChat
description: >-
  Learn how to configure Authentik for Single Sign-On (SSO) for LobeChat, including creating an application provider, setting environment variables, and deployment instructions.

tags:
  - Authentik Configuration
  - Single Sign-On (SSO)
  - LobeChat Authentication
  - Environment Variables
  - Deployment Instructions
---

## Configuring Authentik Authentication Service

## Authentik Configuration Flow

<Steps>
  ### Create an Authentik Application Provider

  In your Authentik instance, use the administrator account to go to **Admin Interface** -> **Applications** -> **Providers** and create a new provider.

  Select **OAuth2/OpenID Provider** as the provider type. Fill in the provider name, select the authentication flow and authorization flow.

  In the `Redirect URL/Origin (regex)` field, fill in:

  ```bash
  https://your-domain/api/auth/callback/authentik
  ```

  <Callout type={'info'}>
    - You can fill in or modify the `Redirect URL/Origin (regex)` later, but make sure the filled in
      URL matches the deployed URL. - Replace `your-domain` with your own domain name
  </Callout>

  <Image alt="Create Authentik Provider" inStep src="https://github.com/lobehub/lobe-chat/assets/67304509/4244634e-5f68-48d5-aac0-e5f4b06d1c4b" />

  Click **Done**

  After the creation is successful, click **Applications** on the left -> **Create**, fill in the name and Slug, select the provider created in the previous step, and click **Create**.

  After the application provider is created, click the corresponding provider to enter the details page, click **Edit**, and save the `Client ID` and `Client Secret`.

  Copy the URL of `OpenID Configuration Issuer` and save it.

  ### Configure Environment Variables

  When deploying LobeChat, you need to configure the following environment variables:

  | Environment Variable      | Type     | Description                                                                                                                                                                                                         |
  | ------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | `NEXT_AUTH_SECRET`        | Required | The secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: `openssl rand -base64 32`                                                                                 |
  | `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the SSO provider for LoboChat. Use `authentik` for Authentik.                                                                                                                                                |
  | `AUTH_AUTHENTIK_ID`       | Required | The Client ID from the Authentik application provider details page                                                                                                                                                  |
  | `AUTH_AUTHENTIK_SECRET`   | Required | The Client Secret from the Authentik application provider details page                                                                                                                                              |
  | `AUTH_AUTHENTIK_ISSUER`   | Required | The OpenID Configuration Issuer from the Authentik application provider details page                                                                                                                                |
  | `NEXTAUTH_URL`            | Required | This URL is used to specify the callback address for Auth.js when performing OAuth authentication. It only needs to be set when the default generated redirect address is incorrect. `https://example.com/api/auth` |

  <Callout type={'tip'}>
    Go to  [📘 Environment Variables](/docs/self-hosting/environment-variable#Authentik) for details about the variables.
  </Callout>
</Steps>

<Callout type={'info'}>
  After a successful deployment, users will be able to use LobeChat by authenticating with the users
  configured in Authentik.
</Callout>
